190 likes | 204 Views
Program Construction from Formal Specifications. Richard Wallace Senior Consultant Quantum Solutions. Vision Statement. Given a valid specification a valid implementation can be constructed. A System is thus “Correct by Design.”. Goals. Reduce System Cost.
E N D
Program Constructionfrom Formal Specifications Richard Wallace Senior Consultant Quantum Solutions
Vision Statement • Given a valid specification a valid implementation can be constructed. • A System is thus “Correct by Design.” Presentation to SCRA
Goals • Reduce System Cost. • Reduce Defects in delivered Product. • Reduce System Redesign Time. Presentation to SCRA
Objective • An IDE for construction and proof of Formal Specifications. • Multiple back-end processing creating application specific implementations from Formal Specifications. Presentation to SCRA
Situation Today • Tool plethora for aiding in construction of implementations. • Few tools for the construction of specifications. • Sparse commercial tools for proving formal specifications. Presentation to SCRA
Events creating today’s situation • Learning Curve. • Time to Market. • Perceived need to “hack” together a solution. • “Tinkering” valued over Design. Presentation to SCRA
Available Options • Design and Implementation Calculus notations. • Automated/Animated Simulators/ Implementation Notation Generators. • Proof Tools generating application specific implementations. Presentation to SCRA
Working Definitions • Formal Specification • A concise description of behavior and properties written in a mathematically-based language allowing proof via accepted axioms and theorems. • Formal Proof • A series of steps which draws conclusions from a set of accepted axioms and theorems giving a complete argument for the validity of statements that describe a system. Presentation to SCRA
Working Definitions (Cont.) • Specification Animator • Non-formal, “executables” providing high-level dynamic behavior of the specification. • The animation introduces temporal behavior. • Assists in verification of proof boundaries (temporal, dimensional, conditional). Presentation to SCRA
Acl2 theorem prover, a successor to the Boyer-Moore theorem prover. Version 1.8 available now, 1.9 coming soon. Action Semantics, a framework for specifying formal semantics of programming languages. Algebraic Design Language, a higher-order software specification language. Assertion Definition Language Translator (ADLT), a specification based testing tool-set. Auto/Graph, model-based automatic verification of distributed communicating systems. BDDs (Binary Decision Diagrams) for finite-state verification problems. B-Method, including the B-Tool and B-Tool-kit. Boyer-Moore theorem prover (a forerunner of Nqthm). Available via ICOT Free Software for use under Unix at ICOT (Japan), SICS (Sweden), GMD (Germany) and Univ. of Oregon (USA). CCS (Calculus of Communicating Systems). An algebra for specifying and reasoning about concurrent systems. Circal (CIRcuit CALculus) System supporting a process algebra which may be used to rigorously describe, verify and simulate concurrent systems. COLD (Common Object-oriented Language for Design), a wide-spectrum specification language. Concurrency Factory, a "next generation" Concurrency Workbench tool-kit. Coq proof assistant. See also CtCoq, a working environment for the Coq project theorem prover. COSPAN (COordinated SPecification ANalysis), a general-purpose rapid-prototyping tool, using the S/R (selection/resolution) language. CSP (Communicating Sequential Processes) including the FDR tool. CWB (Edinburgh Concurrency Workbench) automated toolset. See also the Concurrency Factory and CWB-NC (The Concurrency Workbench of North Carolina), which includes a LOTOS interface, diagnostic infomation, etc. Note: The CWB and CWB-NC have a common ancestor, but are each under separate development. DisCo specification method for reactive systems including a tool developed at the Tampere University of Technology, Finland. Estelle: EDT (Estelle Development Toolset) and example specifications. Esterel language and tools for synchronous reactive systems, including verification support. Possible Notations... Presentation to SCRA
EVES tool, based on ZF set theory, from ORA, Canada. See also Z/EVES which provides a Z front-end to EVES. Both are now available for on-line distribution. Evolving Algebras, University of Michigan, USA. See also here, University of Paderborn, Germany. Extended ML framework for the specification and formal development of modular Standard ML programs. GIL, a graphical interval logic tool. See also publications by Laura Dillon). HOL mechanical theorem proving system, based on Higher Order Logic. HyTech (The HYbrid TECHnology Tool), an automatic tool for the analysis of embedded systems which computes the condition under which a linear hybrid system satisfies a temporal-logic requirement. IMPS, an Interactive Mathematical Proof System intended to provide mechanical support for traditional mathematical techniques and styles of practice. Isabelle. See also the Cambridge Automated Reasoning Group and FTP access including an index. JAPE (Just Another Proof Editor) by Bernard Sufrin and Richard Bornat is available via anonymous FTP. See also MacOS JAPE. KIV (Karlsruhe Interactive Verifier). A tool for the development of correct software using stepwise refinement. LAMBDA toolset from Abstract Hardware Ltd, UK, supports formal verification for hardware/software co-design. Larch and LP ( Larch Prover). See also DEC SRC's Larch Home Page and the Larch Project at CMU. The Larch tool set (look at the README file first) is available. LeanTaP, a tableau-based deduction theorem prover for classical first-order logic. LEGO proof assistant. LOTOS (Language of Temporal Ordering Specifications). See also information from Madrid, Ottawa and Stirling. Lustre synchronous declarative language for programming reactive systems, including verification. Maintainer's Assistant, a tool for reverse engineering and re-engineering code using formal methods. Meije tools for the verification of concurrent programs. Includes ATG, a graphical editor/visualizer. Mizar tool, a long-term effort aimed at developing software to support a working mathematician in preparing papers. Possible Notations (Cont.) Presentation to SCRA
Model Checking at CMU, a method for formally verifying finite-state concurrent systems. Available packages include: BDD library with extensions for sequential verification. CV, a VHDL model checker. CSML and MCB, a language for compositional description of finite state machines and a (non-symbolic) model checker for CTL. SMV (Symbolic Model Verifier) model checker for finite-state systems, using the specification language CTL (Computation Tree Logic), a propositional branching-time temporal logic. See also Word-level SMV for verifying arithmetic circuits efficiently. Mural tool to aid formal reasoning about specifications including a proof assistant and VDM support. See also the Mural Project. Murphi description language and verifier tool for finite-state verification of concurrent systems. Nqthm theorem prover and the Pc-Nqthm interactive ``Proof-checker'' enhancement of the Boyer-Moore Theorem Prover from Computational Logic Inc. See also Nqthm users Gopher information. Nuprl tool based on intuitionistic type theory. OBJ - OBJ3 and 2OBJ. Otter, an automated deduction system. Petri Nets, a formal graphical notation for modelling systems with concurrency. See also conferences and tools. Pi-calculus, a calculus for mobile processes. See also papers by Robin Milner et al. and the Mobility Workbench (see information and a BibTeX bibliography). Pobl. A development method for concurrent object-based programs. ProofPower is a commercial tool, developed by ICL, supporting development and checking of specifications and formal proofs in Higher Order Logic and/or Z. Support for Z uses a deep(ish) embedding of Z into HOL, but includes syntax and type checking customized for Z. Prover Technology, NPL, for automated proof by modelling systems in propositional logic using a unique patented algorithm. PVS (Prototype Verification System) tool based on classical typed higher-order logic developed at the SRI International Computer Science Laboratory. RAISE language and tools from CRI, Denmark. Rapide language and toolset, for building large-scale distributed multi-language systems. Refinement Calculus by Ralph Back et al.. SDL (Specification and Description Language) from the SDL Forum Society. See also previous site here. SPARK secure subset of Ada, including SPARK Examiner tool for program analysis and verification. Possible Notations (Cont.) Presentation to SCRA
SPIN is an automated verification tool (model checker), using a language based on CSP, for finite state systems, such as protocols or validation models of distributed systems, developed at AT&T Bell Labs. STeP, the Stanford Temporal Prover. TAM. The Temporal Agent Model from the Real-Time Systems Research Group at York University. TLA (Temporal Logic of Actions) has tool support. TPS and ETPS, the Theorem Proving System and the Educational Theorem Proving System. TRIO language and tools for real-time systems, based on temporal logic. TTM/RTTL framework for real-time reactive systems. UNITY, a programming notation and a logic to reason about parallel and distributed programs. UPPAAL verification and validation tools for real-time systems. Model checking and simulation with a graphical interface. VDM (Vienna Development Method). See also the Mural tool, VDM text books, VDM++ object-oriented extension, and VDM forum mailing list. VIS (Verification Interacting with Synthesis), a system for formal verification, synthesis, and simulation of finite state systems, especially logic circuits. Includes a Verilog HDL front-end. Z notation for formal specification. Possible Notations (Cont.) Presentation to SCRA
Abstract Hardware Limited, Uxbridge, Middlesex, UK. Products including the LAMBDA system synthesis tool set and PolyML, a commercially supported version of Standard ML. Services include training courses and consultancy. Adelard, London, UK. Consultancy in the areas of: development, verification and assessment; safety cases; standards and guidelines; training and technology transfer. B-Core (UK) Limited, Oxford, UK. B-Tool-kit, based on the B-Tool. BT Laboratories, Martlesham, Ipswich, UK. Formal Methods Group. Cap Volmac, Utrecht, The Netherlands. VDM++ language and tools. Chrysalis Symbolic Design, Inc., North Billerica, MA, USA. Produces software for creating and verifying electronic circuits and systems. Products include Symbolic Logic(tm) technology to help with formal verification. COMPASS Design Automation, San Jose, CA, USA. VHDL formal verification tool for electronics design automation (EDA). See the interactive tour of the VFormal product. Computational Logic Inc., Austin, Texas, USA. Nqthm and Pc-Nqthm theorem proving tools. Hardware verification including the FM9001 microprocessor. CRI, Denmark. RAISE language and tools. CVI (Dutch Rail Automation), Utrecht, The Netherlands. Computer Science Consultancy, UK. fuzz - Z type-checker tool. Digilog, France. Atelier B tool supporting the B-Method. DST (Deutsche System-Technik GmbH), Kiel, Germany. DST fUZZ - Z tool. Edinburgh Portable Compilers Ltd., UK. B-Tool. Formal Systems (Europe) Ltd., Oxford, UK. FDR tool for CSP model checking. GEC Alsthom, Paris, France. Users of the B-Tool. Harlequin, Australia / UK / USA. Consultancy including formal software engineering and reasoning systems. IBM Hursley Park, UK. Technology Center, Clear Lake, Texas USA. IFAD, Odense, Denmark. Products include the VDM Toolbox and VDM to C++ Code Generator. Inmos, Bristol, UK. (now SGS-Thomson Microelectronics) IST (Imperial Software Technology Ltd), Reading, UK. (Also Cambridge, London, and Palo Alto, USA.) Software engineering company, including an Advanced Technology Group specializing in the application of formal methods for high-integrity and secure systems. Products include Zola, an integrated editor, type-checker and prover for the Z notation. Commercial Companies... Presentation to SCRA
Kestrel Institute, California, USA. Undertakes research in applying formal methods and automated reasoning systems to software engineering. K&M Technologies Limited, Dublin, Ireland. Industrial exploitation of the Irish School of the VDM, etc. Lloyds Register, Croydon, UK. Logica UK Limited. Formal methods tools and services, including the Formaliser Z type-checker. Logikkonsult NP AB, Sweden. Products include Prover (a theorem prover for propositional logic extended with finite integer arithmetic) and NP-Tools (a framework for mathematically proving safety properties). ORA, Ottawa, Canada. EVES tool. Philips GmbH Forschungslaboratorien, Aachen, Germany. Praxis, Bath, UK. Praxis Critical Systems have skills in formal specification, static analysis, safety engineering. Products include SPARK language and tool support for program verification. Program Validation Limited, UK. (now Praxis Critical Systems) Research Access Inc., USA. Specification and verification documents. RWTÜV Anlagentechnik, Germany. SRI, Menlo Park, California, USA. Also, Cambridge, UK. Formal methods information and PVS tool. Telelogic AB, Malmö, Sweden. Products include SDT, a software engineering toolset based on SDL, and the ITEX test suite tool. Verilog, USA. See also France. Products include the ObjectGEODE toolset, based on the OMT, SDL and MSC standards notations, dedicated to analysis, design, verification and validation through simulation, code generation and testing of real-time and distributed applications. Commercial Companies (Cont.) Presentation to SCRA
Which to Use? • Dependent on level of risk. • Dependent on client sophistication. • Dependent on implementation desired. Presentation to SCRA
Any “Silver Bullet” Solutions? • Universal tool for all Formal Specification • None exists. • Formal Methods do not guarantee a perfect product. • “…mathematical rigour cannot eliminate mistakes entirely. All it can do is reduce their likelihood -- drastically.” (Carroll Morgan, Oxford PRG) Presentation to SCRA
Future: Commercial Formal Methods • Based on • Z/EVES & B • STeP & CSP • Concurrency Factory. • GUI for non-code notations and animation. • Must have multiple implementation generators. • Must have animator for all implementations. • System decomposer using incremental system proofs. Presentation to SCRA
Questions? Presentation to SCRA